Background
On October 25th 2022, the OpenSSL project team announced they will be releasing a fix for a critical vulnerability on OpenSSL version 3.0 or higher on November 1st 2022. OpenSSL is a popular library that provides cryptographic functions, often used for implementing secure communications. Additionally, it is often used to implement Transport Layer Security (TLS), the successor of Secure Sockets Layer (SSL).
DataMiner Impact
Although the details of the vulnerability are not publicly available yet, we can already determine the impact on DataMiner. DataMiner relies on OpenSSL version 1.1.1.3, which should not be affected by this vulnerability.
We are in the process of identifying which of the DataMiner dependencies (e.g. MySQL, Cassandra, Elasticsearch,…) are affected by this vulnerability. As more information will become available over the next few days, we will update this blog post accordingly.
Elasticsearch Impact (update 03/11)
Elasticsearch has confirmed they are unaffected by these vulnerabilities, for more information see this elasticsearch security statement.
MySQL Server Impact (update 03/11)
The latest version of MySQL Server 5.7, relies on OpenSSL version 1.1.1q, which is unaffected by these vulnerabilities.
Apache Cassandra Impact (update 03/11)
Apache Cassandra does not rely on OpenSSL and is unaffected.
NATS Server Impact (update 04/11)
NATS confirmed they are not affected by the vulnerabilities, for more information see this NATS forum post.
For any questions, please contact infosec@skyline.be.
Thanks for helping the community to keep things secure Jens, your expertise and guidance is very much valued by everybody!